Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Neos Flow is an open source PHP application framework maintained by the Neos team and used as the foundation for the Neos CMS and many custom enterprise applications. It is installed on the operator own infrastructure and provides building blocks such as routing, dependency injection, object persistence, and security. By default it only sets a session cookie that is strictly necessary to operate the application, which usually does not require consent.
Neos Flow is an open source PHP application framework that originated as the foundation of the Neos CMS and is now used to build a wide range of custom web applications. It offers conventions and components for routing, dependency injection, security, persistence, validation, and command line tooling. Because Flow is installed and operated on the controller own infrastructure, the maintainers do not receive any data from production deployments.
By default Neos Flow only issues a session cookie used to keep server side state, for example to track an authenticated user or a multi step form. The framework does not bundle analytics, marketing, or fingerprinting code. Any additional cookie, third party script, or tracker is introduced by the developer team for the specific application built on Flow.
The default session cookie qualifies as strictly necessary under Article 5(3) of the ePrivacy Directive, which means it can be stored without prior consent. The legal basis under GDPR for related processing is typically legitimate interest or, when the user is logged in, performance of a contract. Personal data handled by the application built on Flow must be processed in line with the GDPR principles of lawfulness, purpose limitation, minimization, and integrity.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No consent is required for the default session cookie. Consent does become necessary when developers add analytics, marketing, social embed, or A B testing modules. In that case the additional scripts must be blocked until the user opts in through a consent management platform.
Neos Flow is self hosted, so the location of the data is determined by the hosting provider chosen by the controller. There is no automatic transfer to the maintainers or to a SaaS backend. Controllers should make sure their hosting choice respects EU data residency requirements when relevant.
Document the session cookie in the cookie policy as strictly necessary, configure secure cookie flags such as HttpOnly and SameSite, define realistic session lifetimes, log only what is needed, and review any third party module added to the application for its data protection impact before going live.
Websites using Neos Flow must obtain user consent under GDPR regulations.
DPIA considerations
Neos Flow itself does not perform any large scale processing, profiling, or tracking, so a DPIA is generally not required for the framework. A DPIA may be needed for the specific application built on top of Flow if it processes large volumes of personal data, special categories of data, or performs automated decision making. The assessment should focus on the application logic rather than on the framework.
Sample consent text
This application uses a session cookie required to keep you logged in and to operate the site. This cookie does not require your consent. If we add analytics or marketing cookies, we will ask for your consent separately in the cookie banner.
Third-party domains contacted
flow.neos.ioneos.iopackagist.orgCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| TYPO3_Flow_Session | first_party | Session | Stores the server side session identifier required to keep the user logged in and maintain state across requests. |
| Neos_Session | first_party | Session | Alternative name used by some Flow based applications to store the technical session identifier. |
| flow_csrf_token | first_party | Session | Stores the CSRF protection token used by Flow forms to prevent cross site request forgery. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Out of the box Neos Flow sets a single session cookie used to maintain server side state, typically for authentication or multi step workflows. It does not bundle analytics, marketing, or fingerprinting cookies.
No consent is required for the default session cookie because it is strictly necessary under Article 5(3) of the ePrivacy Directive. Consent becomes necessary only if developers add analytics, marketing, or third party embeds to the application built on Flow.
The legal basis is legitimate interest under Article 6(1)(f) GDPR for the technical session and, when the user is logged in, performance of a contract under Article 6(1)(b). Other processing performed by the custom application must be assessed on its own merits.
No. Neos Flow is open source software installed on the operator own infrastructure and does not send data to the maintainers or to any third country by default. Transfers depend solely on the hosting choice made by the operator.
A DPIA is generally not required for the framework itself. It may be needed for the specific application built on Flow, depending on the categories of data processed, the scale, and the existence of profiling or automated decision making.
Use secure cookie flags, encrypt data at rest, limit retention, log only what is necessary, gate any added third party module behind consent, and document the processing activities in the records of processing.
Alternatives include Symfony, Laravel, Laminas, CodeIgniter, and Yii. The choice depends on team skills, ecosystem, and the specific architectural requirements of the application.
Add a clear entry stating that the application sets a session cookie as strictly necessary, that no analytics or marketing cookies are set by Flow itself, and that any additional cookie comes from custom modules or third party integrations.